Back to skill

Security audit

scholar-search-aisa

Security checks across malware telemetry and agentic risk

Overview

This skill is advertised as academic paper search, but its bundled client also exposes broader web search, URL extraction, and AI research features that are not clearly disclosed.

Review before installing. Install only if you are comfortable providing an AISA API key and allowing the skill to send not just scholarly queries, but also general web searches, URLs, and research prompts to api.aisa.one. The publisher should either narrow the client to scholar search or update the skill description to clearly disclose the broader search, extraction, and AI synthesis capabilities.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (5)

Description-Behavior Mismatch

High
Confidence
95% confidence
Finding
The file implements a broad multi-search CLI with web search, Tavily search, arbitrary URL extraction, Perplexity/Sonar querying, and a multi-source synthesis workflow, which materially exceeds the declared scholar-search skill scope. In an agent-skill setting, this scope expansion increases data egress paths and enables behaviors users and reviewers would not expect from a narrowly scoped academic-search tool.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
The extract command accepts arbitrary user-supplied URLs and sends them to an external extraction service, allowing the skill to retrieve and process content from essentially any destination without scholar-specific constraints. In a scholar-search context, this is dangerous because it broadens the trust boundary, may exfiltrate sensitive URLs or fetched content to a third party, and creates capability creep inconsistent with user expectations.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
The sonar command exposes general-purpose deep-research/LLM-answering behavior that is not necessary for a scholar-search skill and routes user queries to separate model endpoints. While not inherently malicious, this creates an unnecessary external processing channel and can cause users to disclose prompts or data under the assumption they are using a simple academic search tool.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The verity workflow performs parallel multi-source retrieval, computes confidence scores, and sends aggregated results to an explanation endpoint for AI synthesis, which goes beyond straightforward scholar search. This increases the amount of user-derived and third-party content transmitted externally and introduces additional opaque processing that may not be expected from the declared skill purpose.

Intent-Code Divergence

Medium
Confidence
84% confidence
Finding
The module docstring explicitly presents the code as a multi-search engine CLI spanning web, scholar, smart, tavily, extract, sonar, and verity modes, contradicting the much narrower manifest description. This mismatch is risky in a skill ecosystem because reviewers and users may grant trust based on the manifest while the implementation exposes materially broader capabilities.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.